In the modern home, everything from TVs and refrigerators to baby monitors and light bulbs can now be connected — and hacked.
The number of smart homes in North America is expected to hit 73 million by 2021, making up more than 50% of all households. By the end of 2016, more than 21.8 million smart homes had already been connected, creating new problems and anxieties for homeowners.
It used to be clear when a break-in had occurred — a window was smashed, or perhaps a door forced open — but today technology is making privacy invasion more insidious. A smart door can be unlocked remotely with no signs of forced entry, cameras can be hacked and homes monitored without user knowledge, and connected refrigerators can be infiltrated to spy on spending and food habits.
Most of these devices can be operated remotely through apps and online portals. So to protect themselves from these hacks, consumers must secure the connected home appliances themselves as well as the computers and phones that control them. This means, first and foremost, keeping hackers out of emails and other accounts.
On a daily basis, hackers use strategies like phishing scams to steal usernames and passwords, posing as a bank or other legitimate establishment to trick users. Consumers should be wary of any email asking for personal information and always check the sender address to be sure it’s based at the website the sender claims to be (like an @paypal.com email address versus a deceptively similar location like @paypal.co or @paypalhelp.com). No measure will guarantee users won’t be hacked (email addresses can even be spoofed, and there are ways to check for this by tracing IP addresses). But a number of actions can be taken to lower the risk of hacking and secure your home.
Use multifactor authentication
Add an additional authentication factor beyond the password, which has become all but obsolete, said Jerry Irvine, chief information officer of Chicago-based security firm Prescient Solutions. The computer security expert spoke at an event on solutions for smart home hacking hosted by insurance company HSB. “When it comes to passwords, if you only have one thing, it’s not enough,” he said.
The extra level of authentication could be a security key or a one-time code received by a phone call or text to keep unknown parties out of smart devices and the apps used to control them. Many websites and apps offer two-step authentication that users can opt into under “settings.” Other methods, including biometric authentication like a thumbprint or an eye scan, are increasingly being turned to as a harder-to-fake two-step authentication option.
The good news is that even if a hacker is able to steal a username and password through one of these strategies, they would still be less likely to access email and other sensitive information if the user employed two-factor authentication — so don’t wait to set these up on all accounts that make it available.
Complete security updates, especially on new devices
Everyone has been there: your phone prompts you to complete a software update, but you brush it aside and click “download later.” Doing so can make devices vulnerable to dangerous malware.
Most smart home devices don't update automatically, so once a month users should open the app corresponding to their smart refrigerator or smart lightbulbs and check for firmware updates, Irvine said. Even when buying a smart device directly from the store, users should check for updates sent out between the time it was manufactured and when it is purchased.
“The reason they push these updates through is because there are vulnerabilities on them,” he said. “Hackers will find these vulnerabilities and get into the devices easily.”
One urgent Apple update, for example, patched a security flaw that allowed hackers to overtake iPhone and computer devices and use them as spying tools. Most updates aren't so dire, but any software patch is pushed with good reason, and ignoring them could cost you a lot.
Install malware protection
Consumers should have some form of malware protection on phones and computers — and that includes MacBooks. For years Apple AAPL, +0.44% products were considered invulnerable to malware, but Irvine said this is no longer the case.
These apps are important because they have built-in application firewalls that allow you to choose which apps you run on your computer or phone,” Irvine said. “If an app comes up that you have never run before, the program will alert you and prevent malicious software from being used on your device.”
While antivirus programs only protect users against 30% to 50% of known viruses, there is no harm in downloading one, and not doing so is a “guarantee you’ll get hacked,” he said. Common antivirus software includes Norton Antivirus and McAfee antivirus, which can be purchased online starting at $19.99 and $59.99 respectively. Sophos Antivirus is a free, secure alternative for both Windows and Mac. Consumers should be wary of which antivirus programs they download, especially if they are free, as some are viruses themselves. Only use well-known services or those recommended and vetted by security professionals.
Don’t use public Wi-Fi
Hackers can access devices via public Wi-Fi. Make sure to turn off the “automatically connect” setting on phones and be wary of shared connections, like those in airports or coffee shops.
Safe alternatives include wireless hot spots, which can be created on many cellphones or devices purchased specifically for mobile internet, like a Verizon Jetpack. Consumers can also use a VPN service, but should be sure to vet the one they choose for security. Many applications, like popular service Hola, collect user information and make them vulnerable to hacking. Irvine suggested paid VPNs like Private Internet Access.
Don’t keep your devices on the same network as your main computer.
Irvine said it is important to segregate internet connections to reduce risk of hacking across devices. Users can purchase a separate internet connection, or split an existing internet connection using a virtual local area network (VLAN). A VLAN segments the main network and compartmentalizes traffic so that if one device is compromised, it cannot be used to access others. Virtual LANs can be set up through your internet connection portal online, but if this sounds too complex, an IT company or service like Geek Squad can easily configure it, Irvine suggested.
Change default usernames and passwords on your devices
Many devices come with a default username and password that hackers can easily find on online forums. Be sure to change these on all new devices, including connected fridges and other smart appliances. Switch to a secure password or passphrase with varied numbers, symbols, and capitalization.
Only use known devices
It might seem like this would go without being said, but don’t pick up an unfamiliar USB drive or CD from the ground and stick it into your computer. Though this sounds like an obvious rule, hackers often rely on pitfalls of the human psyche like curiosity — in the information security world this is known as “social engineering.”
Often hackers will leave devices equipped with malicious software outside office buildings and homes — and it works. Nearly 50% of people will plug a found memory stick into their computers, according to one study from Google GOOG, +0.30% , the University of Illinois Urbana-Champaign, and the University of Michigan. Even the FBI was reportedly hacked in 2008 using social engineering and a stray USB drive.
“It’s like picking up chewed chewing gum off the street and chewing it,” Irvine said. “You don’t know where it has been.”
This story was updated on July 5, 2018.